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Abstract— Network forensics comes under the domain of digital forensics and deals with evidences left 
behind on the network after a cyber-attack. It is indication of the weakness that led to the crime and the 
possible cause. Network focused research comes up with many challenges which involves the collection, 
Storage, content, privacy, confiscation and the admissibility. It is important and critical for any network 
forensic researcher or the investigator to consider adopting efficient forensic network investigation 
framework or the methodologies in order to improve investigation process. The main aim of this research 
contribution was to do a comprehensive analysis of concepts of networks forensics through extensive 
investigation and by analyzing various methodologies and associated tools which should be used in the 
network forensic investigations. Detailed and in depth analysis of concepts of network forensic investigation 
on a designed/conceived network architecture was carried out which was then followed by analyzing various 
methodologies and tools employed. An innovative framework for the investigation was designed which can 
be used by any forensic expert. The acquired data was analyzed by using information, strategizing and 
collecting evidence and by analyzing and reporting of the methodologies on the conceptualized network. 
Consequently, it led to the researcher to adopt and utilize a powerful and efficient forensic network 
methodology that will ultimately help in improving the investigation process and providing required 
tools/techniques along with the requisite guidelines that will determine the approach, methods, and 
strategies which are to be used for network forensic process to be followed and be executed with the use of 
relevant tools that will tend to help in the simplification and improvement of the forensics investigation 
process. 

Keywords— Forensic Science, Network Forensics, OSCAR. 


INTRODUCTION & BACKGROUND 


In this section, the author presents introduction and the 
chosen topics background relating to Network Forensics 
and various concepts pertaining to it including the advanced 
tools being used to achieve this. 

1.1. Introduction & Background 

The Digital forensic and subsequently the network forensics 
stems from the forensic science with its evolution shown 
below; 


Forensic 
Anthropology 


Fig.1.1: Forensic Science Branches 
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The forensic science has many sub-branches which are 
shown in the figure above and for each of them the 
advanced research is being carried out by the field 
researchers. Figure below shows in more detail how the 
forensic science has penetrated in every walk of life. 
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Fig.1.2: Forensic Science Penetration 
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Network forensics falls under the category of (DF) related 
to monitoring and analyzing computer network traffic for 
data collection purposes. Unlike DF, network forensic deals 
with dynamic information. It comes under the domain of DF 
and is related to the investigation of evidence left on the 
network following any cyber-attack. This forensic allowed 
the businesses to make it possible to enhance their security 
situation and apply the requisite corrections appropriately. 
In fact, network forensics is a subset of the digital forensics 
itself is a branch of intelligence science - where jurists look 
for technologies or data that contain criminal evidence. 
Network forensics, surprisingly, refers to the investigation 
and analysis of all network traffic suspected of cybercrime 
i.e. proliferation of malicious software that steals data. 

Law enforcement agencies use network forensics to analyze 
network traffic data collected from suspected criminal 
activities. Analysts will search for data that identifies 
human interactions, file fraud, and through use of keywords. 
By the use of network and digital forensics, the law 
enforcement agencies and the crime investigators can track 
communications and can easily set up time-based network 
events installed through a network controlled system. 

In addition to criminal investigations, network forensics is 
often used to analyze network events in order to trace the 
origins of robberies and other security-related incidents. 
This includes looking at suspected network locations, 
collecting information about network features and resources 
& identifying incidents of unauthorized network access. 
There exist 2 methods for full network forensics; 

1. Catch as much as possible" method: Capturing 
network traffic for analysis requiring long process and 
maintenance. 

2. Stop, watch and listen method: Based on analyzing 
each data packet which passes across network only what 
looks like suspicious and worthy of analysis data thus 
needing lots of processing power but can be achieved by 
less storage space. 

Unlike DF, network forensics are much harder to perform 
as data transferred across the network and then lost; in CF 
data is usually stored on disk or solid state storage which 
makes them easy to access. 

The applications of Digital Forensics are shown below; 


Network 
Forensics 


Live 
Forensics 


Fig.1.3: Applications of Digital Forensics 
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The subsequent domains falling under them are shown in 
the figures below. 
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Fig.1.4: Computer Forensics 
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Fig.1.5: Mobile Forensics 
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Fig.1.6: Database Forensics 
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Fig.1.6: Live Forensics 


And finally the Network Forensics and its challenges, being 
the focus of this research contribution. 
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Fig.1.7: Network Forensics 


Investigative process includes: 


I - Identification 
P - Preservation 
C - Collection 
E - Examination 
A - Analysis 

P - Presentation 


Fig.1.8: Network Forensics Investigative Process 


Identifying attack patterns requires understanding of 
applications and network protocols. 
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Application-Specific Digital Forensics Investigative Model 
is shown below; 
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Fig.1.8: Digital Forensics Investigative Model 
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Network Forensics Tools include; 

e Wireshark 

e Tshark 

e Dumpcap 

e Network Forensic Analysis Tools 


The requisite features are shown in the below figures. 


"TEY 


Fig.1.9: Wireshark Features 
(Source: https://www.wireshark.org/) 
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Fig.1.10: Tshark Features [25] 


Fig.1.11: Dumpcap Features 
(Source: https://docplayer.net/10961 126-I3-maximizing- 


packet-capture-performance-andrew-brown.html) 
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It searches terabytes of text 
across a desktop, network, Inter- 
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special forensic search options. It 
supports public and secure, static 
and dynamic web data. 


Fig.1.12: Network Forensic Analysis Properitory Tools 
(Source: 
https://www.researchgate.net/figure/Proprietary-tools- 
for-Network-Forensics_tbl16_315726562) 
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1.2. The Research Problem 

Not adhering to digital forensics can lead to organizations 
loosing continuity and the availability of core services. 
Vulnerabilities can multiply in the networks making it 
vulnerable thus compromising security issues. This can lead 
to the collapse of all communication mechanisms because 
of network nodes failures and the whole setup can be 
compromised by the intruding hacker. 

1.3. The Purpose of the Study 

Penetration of brings many challenges associated with 
security and data breaches. Cyber attacker’s come up with 
extremely complicated means of infiltrating networks’ 
security. Hence the expert administrator monitoring the 
network activities should be fully equipped to identify the 
security vulnerabilities and can capture cyber related 
offenders. The main purpose of this research contribution is 
to come up with a standard and innovative framework 
which can help in analysis of concepts of networking 
forensic and the methodologies and associated tools which 
are to be used for network forensics. This is backed by 
detailed and exhaustive literature review. 

1.4. Objectives 

1. Detailed insight into the concept of network forensic 
investigation on conceptualized network. 

2. Analyzing various methodologies-tools which can be 
used for network forensics. 

3. Analyzing data using “obtain information, strategize, 
collect evidence, analyze and report” (OSCAR) 
methodology on the conceived network. 

4. Designing of an innovative OSCAR Framework 

1.5. The Research Questions 

1. What are the concept of network forensic investigation 
and how are they analyzed on the network? 

2. What are the best methodologies-tools? 

3. How to apply methodology of obtaining information, 
strategizing, collecting evidence, analyzing and 
reporting data on a conceived network architecture 
design? 

4. How to design an innovative OSCAR Framework? 

1.6. Contribution to Knowledge (Academic) 

Contribution of this research relates to providing an analysis 
which is based on the study of relevant literature. The 
knowledge helps the researchers to investigate processes 
which help in cyber-forensics by obtaining, analyzing, 
evaluating, categorizing, and identifying crucial evidences. 
1.7. Statement of Significance (Practical Contribution) 
The practical contribution relates to making it possible to 
apprehend a cyber-criminal. It is achieved through using 
effective forensic network investigation methodologies. 
The researched upon methodology will provide forensic 
specialist with essential tools that will determine the 
approach for obtaining, strategizing, collecting, analyzing 
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and reporting the findings of a network forensics 
investigation. It will also identify the network forensic tools 
for forensics investigation processes. 


II. Literature Review 


Here, literature review and the gaps are identified in the 
light of the reviewed publications. 


2.1. Literature Review 


Nature and type of crime calls for affected victims help [1]. 
In some cases, Committed computer crime is not the only 
source of revenue losses but may make the affected 
organization inoperable. So, it is important to have a way of 
doing it the necessary research and auditing for the study 
once and for all associated computer criminals. Kumongo 
of cyber-criminal investigation, method referred to as 
network forensics. Network forensics is a process that 
involves computer research, analysis to find important 
information that helps in arrest of cybercriminals [2]. 


It is important to be careful that any provided network is 
connected to the internet accustomed to various cyber- 
attack. Attacks are common designed in way that they 
exploit weaknesses of anything in network. The investigator 
is therefore assigned a task the burden of coming up with 
strategies that are important to do network forensic process 
for diagnosis network entry conditions [3]. 


Idea of protecting trade secrets has been adopted with new 
significance as information with an independent economy 
or competitive value [5]. One of the many trade problems 
secrets produce important and sensitive information such as 
the result of increased information and communication 
space the exchange is a widespread response to government 
in the use of forcing steel with strong obstacles results, as in 
the case of Terry [6]. This is an in-depth study referenced at 
[7], [8], [9], [10], [11]. 


Almulhem added that network forensics are highly 
correlated with the security model. The network (digital 
forensics) emphasizes the design and implementation of 
methods, tools, and concepts aimed at improving forensic 
investigation process [12]. Kilpatrick et al. proposes the 
implementation of SCADA (monitoring control and 
constructive data acquisition programs an important 
infrastructure for network forensics [13]. It also plays a key 
role in implementation of machine-to-machine safety 
methods networks [14]. 
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It is important to review several cases subjects where the 
concept has been used sufficiently. In particular, Kurniawan 
and Riadi [15] were able to test again use the unique 
framework from which it was obtained use the concept of 
network forensics analysis once point to the behavior of the 
infamous Cerber Ransomware. As noted by Messier and 
Bensefia and Ghoualmi, most fire protection systems have 
the ability to use software power in UNIX/Windows 
platforms [16] [17]. 


It is noteworthy that most Honeypot services are secretive 
[18]. Honey jars are considered important components 
which help to improve organizational safety [19]. Network 
forensics is different from access by the evidence gathered 
must be accepted in court as well hence satisfying 
technical/legal concerns [20]. 


While the acquisition of intervention helps in improving 
computer network security, network forensics are key 
corresponding to the need to identify related evidence 
security breach. Network forensics is helpful resolving 
issues related to online terrorism, child pornography, drugs, 
national security, cybercrime, and corporate intelligence, 
among others [21] [22] [23]. 


2.2. Literatures Gaps 


There is a need to develop some tools that can parse varied 
network protocols in place or embedded in different 
networks. As most of the information carried on the 
networks is volatile, it is essential that it should be preserved 
in order to expedite the forensic process. 


MI. RESEARCH METHODOLOGY AND 
FRAMEWORK 


This section deals with the research methodology and 
conceptualized framework of this research used by the 
researcher. 
3.1. Research Methodology 

After going through the detailed literature review, 
the research selected the base paper [24]. This research 
contribution is based on following a comprehensive process 
which will be executed by using OSCAR (obtain, strategize, 
collect, analyze and report) principles. 


Fig. 3.1: OSCAR 


The research will follow the following steps. 


e Network Conceptualization 
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e Identification of Malicious Activities 

e Identifying the Source of Activity 

e Application of Tools 

e Decision Making based on Data Analysis 


The designed network will be analysed using the following 
tools. 


° Wireshark 


Wireshark packet analyser: network troubleshooting, 
analysis, software and communications 


development. 


° Tshark 


protocol 


TShark network protocol analyser: Captures packet data 
from a live network. 


e Dumpcap 


Dumpcap is network traffic dump tool: Captures packet 
data from a live network & writes them to file. 


° Network Forensic Analysis Tools (NFATs) 


NFATs help administrators monitor their environment for 
anomalous traffic, perform forensic analysis and get a clear 
picture of their environment. 


The focus of this research contribution is cantered towards 
the need to find and look at the malware affecting network 
hosts. The analysis of the network behaviour can come up 
with infections, exploited channel, and the payload with 
ransomware. As we are focussed on the network forensics, 
hence, in order to move forward, the forensic mechanisms 
need to be looked at which fall under the following 
categories. 


e Network Security Forensic Mechanisms 
o Embedding the Firewall forensics in the network. 
e Honeypot Forensics 


o Network system designed is such to allure by 
depicting information as critical and sensitive. 


A typical firewall forensics scenario is shown in the below 
figure. The firewall has to detect and mitigate the threat 
from the attacker using the IPs as identifiers. 


A typical honeypot deployment is shown in the below 
figure. The honeypot is placed between the internet network 
and the firewall and the attacker instead of breaking the 
firewall is allured towards the honeypot considering it as the 
main network server. This saves the other network servers 
from being attacked and compromised. 
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Fig.3.2: Firewall Forensics 
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Fig.3.3: Honeypot Forensics (Placement in Network) 


Exploring and investigating of network forensics will be 
done in this research work with identifying a malicious 
activity, evidence collections and its preservation. This will 
be followed by evidence reporting and making the decision 
based on the analysis. All the processes of network 
forensics will follow the following procedure of OSCAR 
principle as explained previously in this section. The 
evidence will be retrieved from the selected network and 
computing devices. The selected devices are shown in the 
table below. 


Table 3.1: System Designed 


Internet Browser, E-Mail, Registry, Software, Virus, 
Worm, Trojans and slack, erased, swap files 
UNIX, Windows, Log and Audit System 


I Application 


N 


Deployed System 


3 Hardware Personal Computer, Personal Digital Assistant, 
Printer, Router, Switches, Firewall, Intrusion 


Detection System 


Type: Victim (Client). intermediate. and attacker 


(Hacker or the Threat Actor) 


4 Processing 


This will be followed by source of evidence, value, effort, 
volatility and priority of web proxy cache, firewall logging 
data and the address resolution protocol tables used for 
storing the information discovered. Address resolution 
protocol cache helps the attackers hide behind the fake IP 
address. Operations systems audit trail, system event logs, 
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applications events logs, alerts logs, recovered data, and 
swap files of attacker/victim side will be analysed in 
addition to traffic data packets, firewall log, intrusion 
detection system log, router log, and access control log of 
the intermediate devices. 


Below innovative conceptualized model is designed by the 
researcher. 


=) 
a 


Fig.3.4: Conceptualized Model 


In the above conceptualized network design, honeypot 
devices (sensitive data) is placed in a network for making it 
possible to carry out a detailed analysis of network activities 
and the logs being carried throughout the honeypot devices. 
Hence they are in a good position to help in finding out 
attacker’s logs and activities. The attacker will attack the 
network and with honeypot devices strategically placed in 
the network, his attack activities will be logged. 


IV. DATA ANALYSIS 


The conceptualized network design is discussed in detail in 
the section after using various tools to capture the attacker’s 
activities. 

4.1. OSCAR Framework Design 

OSCAR Design Steps are followed in this phase. Therese 
are summarized below for clarity. 

e Obtaining Information 

Information regarding the incident 

Environment 

Time/Date 

Discovery 

Systems involved 

People involved 

Devices involved 

Actions executed after the discovery 

Discussions record 

Legal issues 

Business model 

Available resources 

Communication system 

Network topology 

Procedures 

Processes 

Incidence response management 


ooo e E o E o E o E OC e E OCC OC a E e E a E a E OUD 
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e =. Strategizing 
o Investigation goal 
Investigation time frame 
Investigation plan 
Value/Cost of obtaining evidence 
Evidence acquiring mechanisms 
Proof acquisition 
Source 
Effort required 
Volatility 
Expected value 
Evidence prioritization 
Data retention policy 
Access policy 
o Configurations policy 


0o000UCUdWUCOUCUCONUCOOWUCOUCOUlUCOOlCO 


e Collecting Evidence 
o Obtaining evidence 
o Using reliable and reputable tools 
o Documenting 
o Capturing 
o  Store/Transport 
o Security of information 
e — Analyzing Evidence 
o System files log 
Resources log 
Date, time and source of incident 
Investigating officer profile 
Methods used to acquire evidence 
Devices accessed 
Custody chain 
Data/network traffic packets repository 


oooţco0oo0oo0oo0oo 


Application of forensic tools 
o Storing/transport of log data 
e Reporting 
o Technical information 
o Defensible details 
o Results 
Based on the above identified parameters, a framework is 
established by the researcher as shown below. 


Fig.4.1: Designed Framework 


4.2. Selected Tools 

The following tools were selected for the analysis of the 
conceptualized network along with their functionalities 
used. 

e Wireshark 
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o For capturing, filtering and analyzing network traffic 
e Tshark 
o Data network protocol analyzer used for capturing 
and reading traffic data from live data network from 
packetized data files. 
e Dumpcap 
o Network traffic analysis is done through the use of 
this tool which is designed to capture the data 
packets. 
e Network Forensic Analysis Tools 
o Used for tracking networks and gathering 
malicious traffic information 
4.3. Data Analysis 
The conceptualized network is implemented using the tools 
outlined in the previous section. The below table outlines 
the setup details. 
Table 4.1: Design Setup 


1 Source of Web Proxy Cache, Firewall logs, Address Resolution 
Evidence Protocol Tables 

2 Affiliation End side - attacker and/or victim side (Operation system 
audit trail, system event log, application event log, alert log, 
recovered data, and swap files), Intermediate (Traffic data 
packets, firewall log. IDS log, router log, and access control 
log) 


Device/Tool 


w 


Laptop-1 (Usage: Creating test network & host proxies) 
IPad (Usage: Test device connected to test network) 
Proxy (Usage: Capture/save live network traffic) 
Wireshark (Usage: Capture/save live network traffic) 
Burp Suite (Usage: Capture live network traffic) 
Laptop-2 (Usage: Network forensics of 10S apps) 
Network Miner (Usage: Analyze network traffic) 


During the process of collection of network-based evidence, 
special care was done pertaining to the collection, storage, 
content, privacy, confiscation and admissibility. Test 
network was designed on laptop-1 in addition to the host 
proxies. The testing was done using [Pad as the testing 
device. The proxy was used to capture the live network 
traffic. Capturing and saving of the network traffic was 
achieved through the usage of Wireshark tool and the burp 
suite. Burp 

Suite is used to set up a proxy which allows to test web 
architecture by routing web traffic through it. Network 
forensics were collected from the applications on Laptop-2 
while the analysis of the network traffic was done using the 
network miner. The below figures show the stepwise 


Fig.4.2: Test Network Design 
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Fig.4.3: Capturing Traffic using Wireshark Tool 
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Fig.4.4: Penetration Testing with Burp Suite & Wireshark 
(Uncovering Vulnerabilities) 


Fig.4.6: Network Miner for Analysis of Network Traffic 


vV. CONCLUSIONS AND FUTURE 
RECOMMENDATIONS 


The section looks at the conclusions of the research and the 
future recommendations. 

5.1. Conclusions 

Following are the outcomes and conclusions of this research 
contribution. 
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e Detailed analysis of network forensic investigation 
on a conceptualized network. 


e Methodologies/tools used were analysed and 
studied in depth. 


e Analysed the data using “obtain information, 
strategize, collect evidence, analysing and 
reporting (OSCAR) methodologies on the 
conceived network. 


e Designed an innovative OSCAR Framework 
which can be adopted in any network forensic 
analysis implementations. 


e It was found that Network forensic science is 
extremely essential important and it helps a cyber- 
forensics investigator to; 


o O -Obtain 
o A - Analyse 
o E- Evaluate 
o C- Categorize 
o I- Identify crucial evidences 
e Helps in apprehending cyber-criminals 


e Network forensics investigator should adopt and 
utilize efficient forensic network investigation 
methodologies 


e OSCAR methodology equips forensic investigator 
with critical tools and guidelines to develop; 


o Approach 

o Methods 

o Strategies 

o Strategizing 

o Collecting 

o Analysing 

o Report of findings 


e Network forensics expert should use top of the line 
tools. 


5.2. Future Recommendations 
Following are the recommendations for future research 
work. 


e Development tool kits which can analyse varied 
network protocols. 


e Preserve and document data selectively in advance 
to speed up the forensic process. 
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